From 5c657292c32b2317e48b7e2442dbf57445bcc0f9 Mon Sep 17 00:00:00 2001
From: Tarashish Mishra <sunu@sunu.in>
Date: Tue, 26 Nov 2024 09:01:26 +0530
Subject: [PATCH] Enable automatic backup of EBS volumes using DLM

---
 terraform/aws/data-lifecycle-manager.tf | 86 +++++++++++++++++++++++++
 terraform/aws/ebs-volumes.tf            |  1 +
 2 files changed, 87 insertions(+)
 create mode 100644 terraform/aws/data-lifecycle-manager.tf

diff --git a/terraform/aws/data-lifecycle-manager.tf b/terraform/aws/data-lifecycle-manager.tf
new file mode 100644
index 0000000000..6d058c5f3d
--- /dev/null
+++ b/terraform/aws/data-lifecycle-manager.tf
@@ -0,0 +1,86 @@
+# ref: https://docs.aws.amazon.com/ebs/latest/userguide/snapshot-lifecycle.html
+# Data Lifecycle Manager (DLM) is used to automate backup of EBS volumes.
+
+resource "aws_iam_role" "dlm_lifecycle_role" {
+  name = "dlm-lifecycle-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "dlm.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+# Attach required policy to the IAM role
+resource "aws_iam_role_policy" "dlm_lifecycle" {
+  name = "dlm-lifecycle-policy"
+  role = aws_iam_role.dlm_lifecycle_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ec2:CreateSnapshot",
+          "ec2:CreateSnapshots",
+          "ec2:DeleteSnapshot",
+          "ec2:DescribeVolumes",
+          "ec2:DescribeInstances",
+          "ec2:DescribeSnapshots"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "ec2:CreateTags"
+        ]
+        Resource = "arn:aws:ec2:*::snapshot/*"
+      }
+    ]
+  })
+}
+
+# Create the DLM lifecycle policy for NFS home directories backup
+resource "aws_dlm_lifecycle_policy" "nfs_backup" {
+  description        = "DLM lifecycle policy for NFS home directories backup"
+  execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
+  state             = "ENABLED"
+
+  policy_details {
+    resource_types = ["VOLUME"]
+
+    schedule {
+      name = "Daily backup"
+
+      create_rule {
+        interval      = 24
+        interval_unit = "HOURS"
+        times         = ["23:45"]
+      }
+
+      retain_rule {
+        count = 5  # Keep last 5 daily backups
+      }
+
+      tags_to_add = {
+        SnapshotCreator = "DLM"
+        Purpose         = "NFS-Backup"
+      }
+
+      copy_tags = true
+    }
+
+    target_tags = {
+      NFSBackup = "true"  # Tag to identify volumes to backup
+    }
+  }
+}
\ No newline at end of file
diff --git a/terraform/aws/ebs-volumes.tf b/terraform/aws/ebs-volumes.tf
index 565d37bf78..a4d3c7f714 100644
--- a/terraform/aws/ebs-volumes.tf
+++ b/terraform/aws/ebs-volumes.tf
@@ -8,6 +8,7 @@ resource "aws_ebs_volume" "nfs_home_dirs" {
 
   tags = merge(each.value.tags, {
     Name = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}"
+    NFSBackup = "true"  # Tag to identify volumes to backup by Data Lifecycle Manager (DLM)
   })
 
   lifecycle {